feat(directive): implement BRIDGE-WP-0004 AccessManagementDirective alignment

- ActorType enum (adm/agt/atm) replaces actor_class string; config validates
  naming convention (adm-*/agt-*/atm-*) with hard ConfigError on mismatch;
  legacy 'human'/'automation' values accepted with DeprecationWarning
- cert_command: pluggable shell string run before each SSH launch; cert written
  to state dir; -i cert appended to SSH command alongside -i key
- TTL-aware cert refresh: parses Valid-to via ssh-keygen -L; pre-emptive restart
  5 min before expiry (no backoff, no attempt increment); CERT_EXPIRING logged
- CertAcquisitionError: cert failures trigger normal backoff/retry loop
- cert_identity: Key ID parsed from cert and recorded in BRIDGE_CONNECTED event
- bridge cert-status: new CLI command; exit 1 on expired cert; --json flag
- 233 tests passing, ruff clean

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

SCOPE.md

@@ -71,10 +71,11 @@ Claude Code sessions run locally; the Custodian State Hub API runs locally. Remo
 
 ## Current State
 
-- Status: active (v0.1 core complete; directive alignment in progress — BRIDGE-WP-0004)
-- Implementation: ~75% — CLI tunneling fully functional, MCP integration working, health
-  checks and audit logging complete; OpsCatalog framework present but not populated;
-  cert_command / ActorType alignment not yet implemented
+- Status: active (v0.1 core complete; AccessManagementDirective alignment done — BRIDGE-WP-0004)
+- Implementation: ~80% — CLI tunneling fully functional, MCP integration working, health
+  checks and audit logging complete; ActorType enum (adm/agt/atm) enforced; cert_command
+  mode implemented with TTL-aware refresh and cert_identity audit logging; OpsCatalog
+  framework present but not yet populated
 - Stability: stable tunnel lifecycle; tested under network drops and SSH failures
 - Usage: running in lab for daily Railiance/Temporal connectivity